The Iranian nation-state actor known as MuddyWater has been linked to a new spear-phishing campaign targeting two Israeli entities to ultimately deploy a legitimate remote administration tool from N-able called Advanced Monitoring Agent.
伊朗国家行动者MuddyWater已被链接到一项新的矛头钓鱼攻击活动,目标是两个以色列实体,最终部署了一个名为N-able的合法远程管理工具,称为Advanced Monitoring Agent。
Cybersecurity firm Deep Instinct, which disclosed details of the attacks, said the campaign "exhibits updated TTPs to previously reported MuddyWater activity," which has, in the past, used similar attack chains to distribute other remote access tools like ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.
网络安全公司Deep Instinct披露了攻击的详细信息,称该活动“展示了先前报告的MuddyWater活动的更新TTPs”,过去曾使用类似的攻击链分发其他远程访问工具,如ScreenConnect、RemoteUtilities、Syncro和SimpleHelp。
While the latest development marks the first time MuddyWater has been observed using N-able's remote monitoring software, it also underscores the fact that the largely unchanged modus operandi continues to yield some level of success for the threat actor.
尽管最新的发展标志着MuddyWater首次被观察到使用N-able的远程监控软件,但它也强调了基本未更改的作案手法继续为威胁行动者带来一定程度的成功。
The findings have also been separately confirmed by cybersecurity company Group-IB in a post shared on X (formerly Twitter).
这些发现还得到了网络安全公司Group-IB在X(前称Twitter)上分享的一篇帖子的独立确认。
The state-sponsored group is a cyber espionage crew that's said to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS), joining other MOIS-affiliated clusters like OilRig, Lyceum, Agrius, and Scarred Manticore. It has been active since at least 2017.
这个国家支持的组织是被认为是伊朗情报和安全部(MOIS)内的一个下属单位,加入了其他MOIS附属集团,如OilRig、Lyceum、Agrius和Scarred Manticore。它至少自2017年以来一直活跃。
Prior attack sequences have entailed sending spear-phishing emails with direct links as well as HTML, PDF, and RTF attachments containing links to archives hosted on various file-sharing platforms that ultimately drop one of the aforementioned remote administration tools.
先前的攻击序列包括发送带有直接链接的矛头钓鱼电子邮件,以及包含链接到托管在各种文件共享平台上的存档的HTML、PDF和RTF附件,最终释放了前述的一个远程管理工具。
The latest tactics and tools represent in some ways a continuation, and in other ways an evolution, for the group variously known as Mango Sandstorm and Static Kitten.
最新的策略和工具在某种程度上是一种延续,而在其他方面则是对于以不同方式被称为Mango Sandstorm和Static Kitten的组织的一种演进。
What's different this time around is the use of a new file-sharing service called Storyblok to initiate a multi-stage infection vector.
这次不同的是使用了一个名为Storyblok的新文件共享服务来启动多阶段感染载体。
"It contains hidden files, an LNK file that initiates the infection, and an executable file designed to unhide a decoy document while executing Advanced Monitoring Agent, a remote administration tool," security researcher Simon Kenin said in a Wednesday analysis.
“它包含隐藏的文件,一个启动感染的LNK文件,以及一个设计用于在执行Advanced Monitoring Agent(远程管理工具)的同时取消隐藏虚假文档的可执行文件,”安全研究员Simon Kenin在周三的分析中说。
"After the victim has been infected, the MuddyWater operator will connect to the infected host using the legitimate remote administration tool and will start doing reconnaissance on the target."
“一旦受害者被感染,MuddyWater操作员将使用合法的远程管理工具连接到受感染的主机,并开始对目标进行侦察。”
The lure document displayed to the victim is an official memo from the Israeli Civil Service Commission, which can be publicly downloaded from its official website.
呈现给受害者的诱骗文档是以色列文职委员会的正式备忘录,可以从其官方网站上公开下载。
In a further sign of Iran's fast improving malicious cyber capabilities, Deep Instinct said it also spotted the MuddyWater actors leveraging a new command-and-control (C2) framework called MuddyC2Go, a successor to MuddyC3 and PhonyC2.
作为伊朗恶意网络能力迅速提高的迹象,Deep Instinct还表示,MuddyWater演员还利用了一个新的命令与控制(C2)框架,称为MuddyC2Go,这是MuddyC3和PhonyC2的后继者。
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...